Hi Fred, Comments inline.
Thanks, Praveen On 1/23/14 7:32 AM, "Frederic Detienne (fdetienn)" <[email protected]> wrote: >> >> 1.2 What happens when a prefix administratively changes from behind >>one >> branch to another ? How do servers get notified about that ? >> >> [PRAVEEN] That¹s an interesting point Fred, and thanks for bringing it >>up. First, please refer the ADVPN_INFO Payload and PROTECTED_DOMAIN >>sections (3.6 and 3.9, respectively) of >>http://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03. As a >>general rule, each spoke can download updated PROTECTED_DOMAIN >>information periodically, which advertises everything behind the hub and >>all other spokes combined. Of course, this does not change if some >>subnet has moved from behind spoke A to behind another spoke, B. >>However, the Lifetime attribute of the ADVPN_INFO payload is key here. >>We could see this being employed in a straightforward manner to allow >>for this transition: a) the subnet can "disappear" and be unreachable >>for one Lifetime, or b) the original spoke can redirect to the new spoke. > >It turns out I did read those sections and this is exactly what surprised >me. Your answer is even more surprising. [PRAVEEN] For one-liner question, we could only imagine the scenario that you are trying to solve. And this is what we could come up. May be you can provide more detailed question on what scenario you would like to solve. We could help in answering those scenarios. When admin changes the prefix of a spoke, spoke¹s existing static tunnel with Hub, gets re-negotatiaged for updated prefix in Tsi/TSr payload. This event updates the Hub about changed prefix information. Is that what you wanted to know? > >Before going any further, is this resource exclusively exchanged between >hub & spoke or also between spokes ? [PRAVEEN] ³resource² you means ADVPN_INFO payload or Subnet information? ADVPN_INFO exchanged between spokes. Subnet information exchanged part of Tsi and TSr during IKE negotiation (which means between hub & spoke and between spokes as well). > >thanks, > > fred >_______________________________________________ >IPsec mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
